EP2193406B1 - Method for the access control to an automation unit - Google Patents

Method for the access control to an automation unit Download PDF

Info

Publication number
EP2193406B1
EP2193406B1 EP08803303A EP08803303A EP2193406B1 EP 2193406 B1 EP2193406 B1 EP 2193406B1 EP 08803303 A EP08803303 A EP 08803303A EP 08803303 A EP08803303 A EP 08803303A EP 2193406 B1 EP2193406 B1 EP 2193406B1
Authority
EP
European Patent Office
Prior art keywords
emergency
access rights
activation
safety mode
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP08803303A
Other languages
German (de)
French (fr)
Other versions
EP2193406A1 (en
Inventor
Rainer Falk
Florian Kohlmayer
Andreas KÖPF
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Publication of EP2193406A1 publication Critical patent/EP2193406A1/en
Application granted granted Critical
Publication of EP2193406B1 publication Critical patent/EP2193406B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24159Several levels of security, passwords

Definitions

  • Access control is an essential security functionality that determines and enforces who can perform what actions. For example, it can be determined which accesses by operating personnel can be made to operate and observe a process or production or a process or production process.
  • RBAC Role Based Access Control
  • RBAC Role Based Access Control
  • Groups are defined according to the tasks involved. Access rights are assigned to individual groups. Individual employees are assigned to the groups corresponding to their tasks and thus receive the access rights required for their task.
  • RBAC means that a single employee perceives different tasks at different times, and assumes different roles at different times. If the tasks of the employee change between several points in time, he carries out a role change in order to receive the access rights assigned to the currently perceived role.
  • An inventive method for access control on an automation system provides that predetermined by the access control access rights depend on the operating state of the automation system, at least in an emergency, regardless of the access rights in normal operation extended access rights are granted as in normal operation.
  • roles are defined that correspond to the different operating states of an automation system. There is no random role change as with RBAC, but the access rights depend on the operating status. In normal operation, a high degree of security is achieved and access rights can be set restrictive, since only in a special operating state, such as during maintenance or in an emergency, then needed, extended access rights are granted. This can too is considered to be a kind of override functionality that under certain circumstances can override access control.
  • An advantageous embodiment of the invention provides that the automation system is monitored to detect the operating state.
  • the monitoring can take place automatically by means of suitable sensors or be carried out by operating and maintenance personnel.
  • an emergency is triggered automatically as soon as certain process variables of the automation system exceed predetermined limit values. It is also conceivable that an emergency is triggered manually by the operating and monitoring personnel.
  • An advantageous embodiment of the invention provides that the access rights are set tightly in normal operation in order to avoid incorrect operation and unauthorized access.
  • Another advantageous embodiment of the invention provides that the access rights are defined role-based in normal operation.
  • a further advantageous embodiment of the invention provides that in normal operation to obtain access rights and / or to obtain additional and / or other access rights, an identification of the accessing or authentication is performed for example by a log-in procedure.
  • the log-in procedure can be configured as desired, for example by input of user name and / or password, by an authentication token, such as by means of a chip card or wirelessly, or by a fingerprint or other biometric identification.
  • An additional advantageous embodiment of the invention provides that when an emergency occurs, an alarm is triggered for automatic alerting and activation of emergency measures, for example, emergency crews can confirm the emergency.
  • a particularly advantageous embodiment of the invention provides that, at least during an emergency or in an operating state in which extended access rights are granted, the actions and accesses made by an operating and maintenance personnel are recorded for example by a video camera and / or for example on a logging Servers are logged. If necessary, access rights can be exceeded if required. However, this is recorded both by recording and logging the accesses made, as well as by activating a video surveillance and it can be checked whether this actually happened for legitimate reasons.
  • An advantageous embodiment of the invention provides that at least in an emergency, a special emergency safety mode is provided in which the intended for normal operation hard or tight control and allocation of access rights is replaced by softer measures that are, however, subsequently evaluated or be evaluated.
  • the replacement of harsh security measures in normal operation by soft security measures in one Emergency enables all necessary measures to be carried out by operating and monitoring personnel. Abuse is nevertheless prevented because the fact of the emergency triggering as well as the actions taken and the accesses are subsequently traceable.
  • the softer measures include granting extended access rights and / or optionally disabling the control and granting of access rights, thereby allowing all actions and accesses.
  • the softer measures include a waiver of an authentication, for example by log-in, so that everyone can use an automation system controlling control and monitoring device.
  • a recording and logging the accesses made is preferably a recording and logging the accesses made. This can be done on the operating and monitoring device itself or on a specially provided for this purpose, for example in an emergency-proof, such as fireproof and / or explosion-proof space housed logging server.
  • an activation of a video surveillance or activating a video recording can take place in order to determine from the recorded video material who has triggered the emergency security mode and who has performed which accesses or actions.
  • the emergency security mode preferably comprises a plurality of sub-levels with different access rights, which can be activated or activated step-by-step. Since possibly even slightly higher access rights are sufficient to be able to fend off the worst in an emergency, as a first aid, the emergency safety mode preferably comprises several sub-levels. These can be activated step by step. In a first emergency activation stage, for example, only the most necessary rights can be granted, for example to delay an imminent emergency and initiate simple countermeasures. If further measures are necessary to prevent the emergency, then also a second emergency activation stage must be activated, which grants even more extensive, for example unrestricted access. For example, it is conceivable that permanent configuration changes can also be made.
  • the activation of such a second emergency activation stage can then be more elaborately protected than that of the first emergency activation stage.
  • the first emergency activation stage can be activated by mouse click on the user interface of the operating and monitoring device, and the second emergency activation stage only via a physical safety switch, which can be actuated for example only after driving a protective screen.
  • An activation of the emergency safety mode can be done manually, for example by pressing a special button on a graphical user interface. So that activation of the emergency safety mode for convenience in regular operational operation is omitted, this is a special button on a graphical user interface provided by the actuation of a manual change to the emergency safety mode.
  • the manual change to the emergency safety mode can be accessible to all employees, or only to certain authenticated employees, for example only to the foreman or the foreman.
  • a physical safety switch may, for example, be a key switch, or a push-button with impact disk, as is known, for example, from fire detectors, or two spatially remote switches, which must be operated by at least two people preferably simultaneously. In the latter case, both switches can be mounted on the automation system, but at such a distance that they can not be operated simultaneously by one person alone.
  • the two switches can also be arranged spatially separated from one another so that a switch, for example, attached to the automation system itself and the second switch in a remote security center.
  • the physical switch can be coupled with a fire or alarm button, which in addition an alarm occurs when actuated, such as a plant fire brigade.
  • a manual activation of the emergency security mode takes place by a special log-in procedure, for example an input of a special emergency password or use of a special emergency authentication token, such as an emergency chip card.
  • An activation of the emergency safety mode is preferably carried out automatically depending on the operating state of the automation system.
  • certain parameters of the automation system are monitored and, for example, automatically determined by comparison with predetermined limits for these parameters, whether a normal operating state, or an emergency exists.
  • pressure and temperature can be measured by suitable, preferably redundantly arranged sensors, which can be automatically monitored and determined by comparison with established limits, such as a maximum maximum temperature, a maximum allowable maximum pressure, a minimum temperature, a minimum pressure, and if the measured values for pressure and temperature in the automation system when performing a specific Process process within a certain allowable operating range, ie a normal operating condition is present or not, so there is an emergency.
  • the engine speed can be monitored and compared with setpoints.
  • the emergency safety mode may persist after activation until it is manually deactivated again, for example by actuating a switch or the like.
  • the emergency security mode is automatically deactivated again after the activation after a certain predetermined period of time.
  • the emergency safety mode can be automatically deactivated after activation after averting an emergency, for example when the measured values detected by sensors are again within a permissible operating range.
  • the emergency safety mode remains activated only as long as a corresponding activation switch or the like is kept pressed or operated.
  • An in Fig. 1 illustrated automation system 01 comprises a stirrer 02 which is driven by a motor 03.
  • the stirrer 02 stirs a substance in a container 04.
  • the container 04 contains a heater 05 and a temperature sensor 06, which are both connected to a process computer 07. Pipelines for transporting the substance into and out of the container 04 are not shown.
  • the process computer 07 is connected to an operating and monitoring device 08.
  • the operating and monitoring device 08 is connected to an emergency switch 09, a video camera 10, and a logging server 11.
  • the operating and maintenance staff 12 monitors and controls the process of stirring the substance in the container 04 via the operating and monitoring device 08.
  • the operating and maintenance personnel 12 actuates the emergency switch 09, whereupon the operator and maintenance personnel 12 unrestricted access rights and thus unrestricted access receives.
  • the actions and accesses made by the operating and maintenance personnel 12 are recorded by the video camera 10 and logged on the logging server 11.
  • a close access control is carried out for the regular operation of an automation system with an operating and monitoring device, in which the operating personnel must authenticate, for example by a log-in, and can only access the operating and monitoring device, which also uses a defined access control policies are allowed.
  • the aim is less to achieve high confidentiality of the transmitted automation data, but rather to avoid incorrect operation and unauthorized access.
  • the log-in procedure can be configured as desired, for example by input of user name and / or password, by an authentication token, such as by means of a chip card or wirelessly, or by a fingerprint or other biometric identification.
  • extended access rights are necessary there.
  • extended access rights are granted in emergencies. It allows a fast and flexible action that is not hindered or unnecessarily complicated by IT security measures.
  • access rights can be exceeded if required. However, this is done both by recording and logging the accesses, as also by the activation of a video surveillance detained and it can be checked whether this actually happened for legitimate reasons.
  • the emergency security mode can comprise several sub-levels. These can be activated step by step. In a first emergency activation stage, for example, only the most necessary rights can be granted, for example to delay an imminent emergency and initiate simple countermeasures. If further measures are necessary to prevent the emergency, then also a second emergency activation stage must be activated, which grants even more extensive, for example unrestricted access. For example, it is conceivable that permanent configuration changes can also be made. The activation of such a second emergency activation stage can then be more elaborately protected than that of the first emergency activation stage.
  • the first emergency activation stage can be activated by mouse click on the user interface of the operating and monitoring device, and the second emergency activation stage only via a physical safety switch, which can be actuated for example only after driving a protective screen.
  • the change to the emergency safety mode can be done in different ways. It is important that the special meaning is clear and thus an activation for convenience in regular operations is omitted.
  • a first variant which ensures that activation of the emergency safety mode for convenience in regular operational operation is omitted, can be achieved, for example, by means of a special button on a graphical user interface, the actuation of which results in a manual change to the emergency safety mode.
  • the manual switch to Emergency Security Mode may be accessible to all employees, or only to certain authenticated employees, such as the foreman or foreman only.
  • a second variant, which ensures that activation of the emergency safety mode is omitted for convenience in regular operational operation, is a use of a physical safety switch to activate the emergency safety mode.
  • a physical safety switch can be, for example, a key switch, or a push-button with an impact disk, as is known, for example, from fire detectors, or two spatially remote switches, which must preferably be actuated simultaneously by at least two people. In the latter case, both switches can be mounted on the automation system, but at such a distance that they can not be operated simultaneously by one person alone. The two switches can also be arranged spatially separated from one another so that a switch, for example, attached to the automation system itself and the second switch in a remote security center.
  • the physical safety switches described can be coupled with a real fire or alarm button, which in addition an alarm occurs when actuated, such as a plant fire brigade.
  • a third variant which ensures that activation of the emergency security mode is omitted for convenience in regular operational operation, provides a special log-in procedure, such as entering a special emergency password or using a special emergency authentication token, such as a emergency smart card.
  • a fourth variant which ensures that activation of the emergency safety mode for convenience in regular operational operation is omitted, is automatically dependent on the operating state of the automation system. This will be certain Monitored parameters of the automation system and automatically determined, for example, by comparing with predetermined limits for these parameters, whether a normal operating condition, or an emergency exists.
  • pressure and temperature can be measured by suitable, preferably redundantly arranged sensors, which can be automatically monitored and determined by comparison with established limits, such as a maximum maximum temperature, a maximum allowable maximum pressure, a minimum temperature, a minimum pressure, and if the measured values for pressure and temperature in the automation system in the implementation of a particular process process are within a certain permissible operating range, ie a normal operating state exists or not, so there is an emergency.
  • the emergency safety mode either remains permanently after activation until it is manually deactivated again, for example by actuating a switch or the like, or it is automatically deactivated again after a certain predetermined period of time.
  • the emergency safety mode can be deactivated automatically even after an emergency has been averted, for example if the measured values recorded by sensors are again within the permissible operating range.
  • the emergency safety mode remains activated only as long as a corresponding activation switch or the like is actuated or kept actuated.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Safety Devices In Control Systems (AREA)
  • Alarm Systems (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Storage Device Security (AREA)

Abstract

In a method for the access control to an automation unit (01), access rights predetermined by the access control are dependant on the operating state of the automation unit (01), wherein at least during an emergency, expanded access rights in relation to normal operation are granted independently of the access rights during normal operation.

Description

Mit Einzug der Informationstechnik (IT) in die Automatisierung und der zunehmenden Integration mit Büroumgebungen steigt auch der Bedarf an Sicherheitslösungen für Automatisierungsumgebungen. Zugriffskontrolle ist dabei eine wesentliche Sicherheitsfunktionalität, durch die festgelegt und durchgesetzt wird, wer welche Handlungen durchführen kann. So kann beispielsweise festgelegt werden, welche Zugriffe durch Bedienpersonal zum Bedienen und Beobachten eines Verfahrens oder einer Fertigung oder eines Verfahrens- oder FertigungsProzesses erfolgen können.With the advent of information technology (IT) in automation and the increasing integration with office environments also increases the need for security solutions for automation environments. Access control is an essential security functionality that determines and enforces who can perform what actions. For example, it can be determined which accesses by operating personnel can be made to operate and observe a process or production or a process or production process.

Drei Hauptsäulen der IT-Sicherheit sind Vertraulichkeit, Integrität und Verfügbarkeit. Bezogen auf typische Büroumgebungen spielt meist Vertraulichkeit und Integrität der Daten die höchste Rolle. Im Automatisierungsumfeld ist meist jedoch die Verfügbarkeit wichtiger als die Vertraulichkeit der Daten. Üblicherweise werden hierbei kaum hochgeheime Daten, sondern hauptsächlich Steuer- und Statusbefehle über das Netzwerk übertragen.Three key pillars of IT security are confidentiality, integrity and availability. In terms of typical office environments, confidentiality and integrity of data usually plays the most important role. In the automation environment, however, availability is more important than the confidentiality of the data. Usually, hardly any high-secret data is transmitted over the network, but mainly control and status commands.

Aufgrund der Einsatzumgebung müssen dort spezielle Randbedingungen berücksichtigt werden. So darf beispielsweise in einer verfahrenstechnischen Automatisierungsumgebung ein Herstellungsprozess/ der Prozessindustrie ein physikalischer Prozess, wie beispielsweise das Erwärmen und Rühren eines Klebstoffes, bei einem Sicherheits-Notfall in der Anlagensteuerung nicht einfach angehalten werden. Ebenso darf umgekehrt in einem Notfall, beispielsweise bei einer Überhitzung des Klebstoffs, durch IT-Sicherheitsmaßnahmen ein Eingreifen durch Bedienpersonal nicht verhindert werden. Eng gesetzte Zugriffsrechte, wie dies aus Sicht der IT-Sicherheit wünschenswert ist, dürfen nicht dazu führen, dass in einem solchen Notfall erforderliche manuelle Eingriffe unterbunden oder unnötig erschwert werden.Due to the environment of use, special boundary conditions must be taken into account. For example, in a process automation environment, a manufacturing process / process industry may not simply stop a physical process, such as heating and stirring an adhesive, in a security emergency in plant control. Similarly, in an emergency, such as overheating of the adhesive by IT security measures may not be prevented intervention by operating personnel. Tightly set access rights, as is desirable from the point of view of IT security, must not result in such a situation Emergency required manual interventions are prevented or made unnecessarily difficult.

Bekannt ist eine Rollenbasierte Zugriffskontrolle (RBAC; Role Based Access Control). In der Praxis wird darunter oft lediglich eine rollenbasierte Administration von Zugriffsrechten verstanden. Dabei werden Gruppen definiert entsprechend den anfallenden Aufgaben. Zugriffsrechte werden einzelnen Gruppen zugewiesen. Einzelne Mitarbeiter werden den ihren Aufgaben entsprechenden Gruppen zugeordnet und erhalten so die für ihre Aufgabe erforderlichen Zugriffsrechte.Known is a role-based access control (RBAC, Role Based Access Control). In practice, this is often understood as merely a role-based administration of access rights. Groups are defined according to the tasks involved. Access rights are assigned to individual groups. Individual employees are assigned to the groups corresponding to their tasks and thus receive the access rights required for their task.

Vom theoretischen Gesichtspunkt aus betrachtet bedeutet RBAC, dass ein einzelner Mitarbeiter zu unterschiedlichen Zeitpunkten unterschiedliche Aufgaben wahrnimmt, entsprechend zu unterschiedlichen Zeitpunkten unterschiedliche Rollen wahrnimmt. Ändern sich zwischen mehreren Zeitpunkten die Aufgaben des Mitarbeiters, führt er dazu jeweils einen Rollenwechsel durch, um der jeweils aktuell wahrgenommenen Rolle zugeordnete Zugriffsrechte zu erhalten.From the theoretical point of view, RBAC means that a single employee perceives different tasks at different times, and assumes different roles at different times. If the tasks of the employee change between several points in time, he carries out a role change in order to receive the access rights assigned to the currently perceived role.

Aus EP1621944 A2 ist ein Verfahren zur Zugriffskontrolle auf eine Automatisierungsanlage bekannt, bei dem durch die Zugriffskontrolle vorgegebene Zugriffsrechte vom Betriebszustand der Automatisierungsanlage abhängen.Out EP1621944 A2 a method for access control to an automation system is known in which predetermined by the access control access rights depend on the operating state of the automation system.

Durch Covington et Al "Securing Context-Aware Applications Using Environment Roles", Proceedings of the sixth ACM symposium on Access control models and technologies, Chantilly, Virginia, United States, pp 10 - 20, 2001, ISBN:1-58113-350-2 ist außerdem eine Kontext-basierte Zugriffskontrolle in der Pflege und Überwachung älterer Menschen zu Hause bekannt, bei der Zugriffsrechte von einer auch als Umgebungsinformation bezeichneten Kontext-Information abhängig sind. Diese Kontext- oder auch Zusammenhang-Information betrifft die Tageszeit, den Wochentag, den Aufenthaltsort oder den aktuellen Status eines Arbeitsablaufs. Die Zugriffsrechte sind bestimmten Umgebungs-Rollen zugeordnet. Unterschiedliche Umgebungs-Rollen können durch Kontext-Informationen ausgelöst werden. Eine Aktivierung einer Umgebungs-Rolle kann eine Aktion automatisch auslösen. So wird beispielsweise bei einer Aktivierung der Umgebungs-Rolle "verletzt" automatisch ein Notruf aufgebaut. By Covington et al "Securing Context-Aware Applications Using Environment Roles", Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, Chantilly, Va., United States, pp. 10-20, 2001, ISBN: 1-58113-350- 2 In addition, a context-based access control in the care and monitoring of elderly people at home is known, in which access rights are dependent on context information, also referred to as environment information. This contextual or contextual information relates to the time of day, the day of the week, the whereabouts, or the current status of a workflow. The access rights are assigned to specific environment roles. Different environment roles can be triggered by context information. Activation of an environment role can trigger an action automatically. For example, an emergency call is automatically established when the environment role "violated" is activated.

Als eine Aufgabe der Erfindung kann es angesehen werden, eine besser an eine Automatisierungsumgebung angepasste Zugriffskontrolle bereit zu stellen.As an object of the invention, it may be considered to provide access control better adapted to an automation environment.

Die Aufgabe wird erfindungsgemäß gelöst durch die Merkmale des Anspruchs 1.The object is achieved by the features of claim 1.

Ein erfindungsgemäßes Verfahren zur Zugriffskontrolle auf eine Automatisierungsanlage sieht vor, dass durch die Zugriffskontrolle vorgegebene Zugriffsrechte vom Betriebszustand der Automatisierungsanlage abhängen, wobei zumindest in einem Notfall unabhängig von den Zugriffsrechten im Normalbetrieb erweiterte Zugriffsrechte, als im Normalbetrieb gewährt werden.An inventive method for access control on an automation system provides that predetermined by the access control access rights depend on the operating state of the automation system, at least in an emergency, regardless of the access rights in normal operation extended access rights are granted as in normal operation.

Indem zumindest in Notfällen ein Notfall-Zugriff mit erweiterten Zugriffsrechten gewährt wird, wird ein schnelles und flexibles Handeln ermöglicht, das nicht durch IT-Sicherheitsmaßnahmen behindert oder unnötig erschwert wird.Providing emergency access with extended access rights, at least in emergencies, enables fast and flexible action that is not hampered or unnecessarily hindered by IT security measures.

Vorteile der Erfindung gegenüber dem Stand der Technik ergeben sich insbesondere daraus, dass für den regulären, operativen Betrieb der Automatisierungsanlage Zugriffsrechte nach den Erfordernissen des regulären Betriebs restriktiv gesetzt werden können. Für besondere Betriebszustände, insbesondere in einem Notfall, werden entsprechend erweiterte Zugriffsrechte gewährt.Advantages of the invention over the prior art arise in particular from the fact that for the regular, operational operation of the automation system access rights can be set restrictive according to the requirements of regular operation. For special operating conditions, especially in an emergency, correspondingly extended access rights are granted.

Es werden im Prinzip Rollen definiert, die den unterschiedlichen Betriebszuständen einer Automatisierungsanlage entsprechen. Es erfolgt nicht wahlfrei ein Rollenwechsel wie bei RBAC, sondern die Zugriffsrechte hängen vom Betriebszustand ab. Im Normalbetrieb wird ein hohes Maß an Sicherheit erreicht und Zugriffsrechte können restriktiv gesetzt werden, da nur in einem besonderen Betriebszustand, wie beispielsweise bei Wartungsarbeiten oder in einem Notfall, dann benötigte, erweiterte Zugriffsrechte gewährt werden. Dies kann auch als eine Art Override-Funktionalität betrachtet werden, bei der unter bestimmten Umständen die Kontrolle der Zugriffsrechte außer Kraft gesetzt werden kann.In principle, roles are defined that correspond to the different operating states of an automation system. There is no random role change as with RBAC, but the access rights depend on the operating status. In normal operation, a high degree of security is achieved and access rights can be set restrictive, since only in a special operating state, such as during maintenance or in an emergency, then needed, extended access rights are granted. This can too is considered to be a kind of override functionality that under certain circumstances can override access control.

Weiterhin wird die Verwaltung der Zugriffsrechte vereinfacht, da nur die Zugriffsrechte für den Normalbetrieb exakt und eng festgelegt werden müssen. In besonderen Sondersituationen werden erweiterte Zugriffsrechte gewährt unter der Annahme, dass qualifiziertes und vertrauenswürdiges Bedien- und Wartungspersonal unter solchen Umständen Zugriffsrechte nicht missbraucht. Dieses Vertrauen ist darauf begründet, dass ohnehin eine hohe Verantwortung gegenüber dem Bedien- und Wartungspersonal besteht, da es Wartungsaufgaben, wie beispielsweise Werkzeugwechsel oder Kalibrierung oder ein kontrolliertes Herunterfahren eines Verfahrensprozesses vornehmen muss, die nicht oder nicht vollständig automatisiert sind.Furthermore, the management of access rights is simplified, since only the access rights for normal operation must be specified exactly and narrowly. In special circumstances, extended access rights are granted under the assumption that qualified and trusted operating and maintenance personnel do not abuse access rights under such circumstances. This trust is based on the fact that there is a high level of responsibility towards the operator and maintenance personnel anyway, as it has to perform maintenance tasks such as tool change or calibration or a controlled shutdown of a process that is not or not fully automated.

Eine vorteilhafte Ausgestaltung der Erfindung sieht vor, dass zur Erfassung des Betriebszustands die Automatisierungsanlage überwacht wird. Die Überwachung kann mittels geeigneter Sensoren automatisch erfolgen oder durch Bedien- und Wartungspersonal durchgeführt werden.An advantageous embodiment of the invention provides that the automation system is monitored to detect the operating state. The monitoring can take place automatically by means of suitable sensors or be carried out by operating and maintenance personnel.

Vorzugsweise wird ein Notfall automatisch ausgelöst, sobald bestimmte Prozessgrößen der Automatisierungsanlage vorgegebene Grenzwerte überschreiten. Ebenfalls ist denkbar, dass ein Notfall durch das Bedien- und Überwachungspersonal manuell ausgelöst wird.Preferably, an emergency is triggered automatically as soon as certain process variables of the automation system exceed predetermined limit values. It is also conceivable that an emergency is triggered manually by the operating and monitoring personnel.

Eine vorteilhafte Ausgestaltung der Erfindung sieht vor, dass die Zugriffsrechte im Normalbetrieb eng festgelegt sind, um Fehlbedienungen und unauthorisierte Zugriffe zu vermieden.An advantageous embodiment of the invention provides that the access rights are set tightly in normal operation in order to avoid incorrect operation and unauthorized access.

Eine andere vorteilhafte Ausgestaltung der Erfindung sieht vor, dass die Zugriffsrechte im Normalbetrieb rollenbasiert festgelegt sind.Another advantageous embodiment of the invention provides that the access rights are defined role-based in normal operation.

Eine weitere vorteilhafte Ausgestaltung der Erfindung sieht vor, dass im Normalbetrieb zur Erlangung von Zugriffsrechten und/oder zur Erlangung zusätzlicher und/oder anderer Zugriffsrechte eine Identifikation des Zugreifenden bzw. eine Authentisierung beispielsweise durch eine Log-In Prozedur durchgeführt wird. Die Log-In Prozedur kann beliebig ausgestaltet sein, beispielsweise durch Eingabe von Username und/oder Passwort, durch ein Authentisierungstoken, wie etwa mittels einer Chipkarte oder drahtlos, oder durch einen Fingerabdruck oder eine sonstige biometrische Identifikation.A further advantageous embodiment of the invention provides that in normal operation to obtain access rights and / or to obtain additional and / or other access rights, an identification of the accessing or authentication is performed for example by a log-in procedure. The log-in procedure can be configured as desired, for example by input of user name and / or password, by an authentication token, such as by means of a chip card or wirelessly, or by a fingerprint or other biometric identification.

Eine zusätzliche vorteilhafte Ausgestaltung der Erfindung sieht vor, dass bei Auftreten eines Notfalls ein Alarm ausgelöst wird zur automatischen Alarmierung und Aktivierung von Notfallmaßnahmen, beispielsweise damit Einsatzkräfte den Notfall bestätigen können.An additional advantageous embodiment of the invention provides that when an emergency occurs, an alarm is triggered for automatic alerting and activation of emergency measures, for example, emergency crews can confirm the emergency.

Eine besonders vorteilhafte Ausgestaltung der Erfindung sieht vor, dass zumindest während eines Notfalls bzw. in einem Betriebszustand, bei dem erweiterte Zugriffsrechte gewährt sind, die von einem Bedien- und Wartungspersonal vorgenommenen Aktionen und Zugriffe beispielsweise von einer Videokamera aufgezeichnet und/oder beispielsweise auf einem Logging-Server protokolliert werden. Zugriffsrechte können so bei Bedarf, gewissermaßen auf Wunsch überschritten werden. Dies wird aber sowohl durch das Aufzeichnen und Protokollieren der vorgenommenen Zugriffe, als auch durch die Aktivierung einer Video-Überwachung festgehalten und es kann so nachgeprüft werden, ob dies tatsächlich aus berechtigtem Anlass geschah.A particularly advantageous embodiment of the invention provides that, at least during an emergency or in an operating state in which extended access rights are granted, the actions and accesses made by an operating and maintenance personnel are recorded for example by a video camera and / or for example on a logging Servers are logged. If necessary, access rights can be exceeded if required. However, this is recorded both by recording and logging the accesses made, as well as by activating a video surveillance and it can be checked whether this actually happened for legitimate reasons.

Eine vorteilhafte Ausgestaltung der Erfindung sieht vor, dass zumindest in einem Notfall ein spezieller Notfall-Sicherheitsmodus vorgesehen ist, bei dem die für den Normalbetrieb vorgesehene harte bzw. enge Kontrolle und Vergabe von Zugriffsrechten durch weichere Maßnahmen ersetzt wird, die jedoch nachträglich auswertbar sind bzw. ausgewertet werden. Das Ersetzen von im normalen Betrieb gültigen harten Sicherheitsmaßnahmen durch weiche Sicherheitsmaßnahmen in einem Notfall ermöglicht, dass alle erforderlichen Maßnahmen vom Bedien- und Überwachungspersonal durchgeführt werden können. Ein Missbrauch wird dennoch verhindert, da die Tatsache der Notfall-Auslösung sowie die vorgenommenen Aktionen und die erfolgten Zugriffe nachträglich nachvollziehbar sind.An advantageous embodiment of the invention provides that at least in an emergency, a special emergency safety mode is provided in which the intended for normal operation hard or tight control and allocation of access rights is replaced by softer measures that are, however, subsequently evaluated or be evaluated. The replacement of harsh security measures in normal operation by soft security measures in one Emergency enables all necessary measures to be carried out by operating and monitoring personnel. Abuse is nevertheless prevented because the fact of the emergency triggering as well as the actions taken and the accesses are subsequently traceable.

Vorzugsweise umfassen die weicheren Maßnahmen ein Gewähren erweiterter Zugriffsrechte und/oder gegebenenfalls ein Deaktivieren der Kontrolle und Vergabe von Zugriffsrechten, wodurch alle Handlungen und Zugriffe erlaubt werden.Preferably, the softer measures include granting extended access rights and / or optionally disabling the control and granting of access rights, thereby allowing all actions and accesses.

Alternativ ist denkbar, dass die weicheren Maßnahmen einen Verzicht auf eine Authentisierung, beispielsweise durch Log-In, umfassen, wodurch Jedermann eine die Automatisierungsanlage steuernde Bedien- und Überwachungseinrichtung nutzen kann.Alternatively, it is conceivable that the softer measures include a waiver of an authentication, for example by log-in, so that everyone can use an automation system controlling control and monitoring device.

Zur nachträglichen Auswertung der weicheren Maßnahmen erfolgt vorzugsweise ein Aufzeichnen und Protokollieren der vorgenommenen Zugriffe. Dies kann auf der Bedien- und Überwachungseinrichtung selbst oder auf einem eigens hierfür vorgesehenen, beispielsweise in einem notfallfesten, beispielsweise feuersicheren und/oder explosionssicheren Raum untergebrachten Logging-Server geschehen.For subsequent evaluation of the softer measures is preferably a recording and logging the accesses made. This can be done on the operating and monitoring device itself or on a specially provided for this purpose, for example in an emergency-proof, such as fireproof and / or explosion-proof space housed logging server.

Zur nachträglichen Auswertung der weicheren Maßnahmen kann beispielsweise eine Aktivierung einer Video-Überwachung bzw. Aktivieren einer Video-Aufzeichnung erfolgen, um so anhand des aufgezeichneten Video-Materials festzustellen, wer den Notfall-Sicherheitsmodus ausgelöst hat und wer welche Zugriffe bzw. Aktionen durchgeführt hat.For the subsequent evaluation of the softer measures, for example, an activation of a video surveillance or activating a video recording can take place in order to determine from the recorded video material who has triggered the emergency security mode and who has performed which accesses or actions.

Vorzugsweise umfasst der Notfall-Sicherheitsmodus mehrere Unterstufen mit unterschiedlichen Zugriffsrechten, welche schrittweise aktivierbar sind bzw. aktiviert werden. Da eventuell schon minimal höhere Zugriffsrechte ausreichen, um quasi als erste Hilfe das Schlimmste in einem Notfall abwehren zu können, umfasst der Notfall-Sicherheitsmodus vorzugsweise mehrere Unterstufen. Diese lassen sich schrittweise aktivieren. In einer ersten Notfall-Aktivierungsstufe können beispielsweise nur die allernötigsten Rechte gewährt werden, um beispielsweise einen bevorstehenden Notfall hinauszuzögern und einfache Gegenmaßnahmen einzuleiten. Falls weitergehende Maßnahmen notwendig sind, um den Notfall zu verhindern, so muss dann auch noch eine zweite Notfall-Aktivierungsstufe aktiviert werden, die noch weitergehenden, beispielsweise uneingeschränkten Zugriff gewährt. Beispielsweise ist denkbar, dass dabei auch dauerhafte Konfigurationsänderungen vorgenommen werden können. Die Aktivierung einer solchen zweiten Notfall-Aktivierungsstufe kann dann aufwändiger geschützt sein, als die der ersten Notfall-Aktivierungsstufe. So ist beispielsweise denkbar, dass die erste Notfall-Aktivierungsstufe per Mausklick an der Benutzeroberfläche der Bedien- und Überwachungseinrichtung, und die zweite Notfall-Aktivierungsstufe nur über einen physikalischen Sicherheitsschalter, der beispielsweise erst nach Einschlagen einer Schutzscheibe betätigbar ist, aktiviert werden kann.The emergency security mode preferably comprises a plurality of sub-levels with different access rights, which can be activated or activated step-by-step. Since possibly even slightly higher access rights are sufficient to be able to fend off the worst in an emergency, as a first aid, the emergency safety mode preferably comprises several sub-levels. These can be activated step by step. In a first emergency activation stage, for example, only the most necessary rights can be granted, for example to delay an imminent emergency and initiate simple countermeasures. If further measures are necessary to prevent the emergency, then also a second emergency activation stage must be activated, which grants even more extensive, for example unrestricted access. For example, it is conceivable that permanent configuration changes can also be made. The activation of such a second emergency activation stage can then be more elaborately protected than that of the first emergency activation stage. Thus, for example, it is conceivable that the first emergency activation stage can be activated by mouse click on the user interface of the operating and monitoring device, and the second emergency activation stage only via a physical safety switch, which can be actuated for example only after driving a protective screen.

Eine Aktivierung des Notfall-Sicherheitsmodus kann manuell erfolgen, beispielsweise durch eine Betätigung einer speziellen Schaltfläche auf einer graphischen Bedienoberfläche. Damit eine Aktivierung des Notfall-Sicherheitsmodus aus Bequemlichkeit im regulären operativen Betrieb unterbleibt, ist hierbei eine speziellen Schaltfläche auf einer graphischen Bedienoberfläche vorgesehen, durch deren Betätigung ein manueller Wechsel in den Notfall-Sicherheitsmodus erfolgt. Dabei kann der manuelle Wechsel in den Notfall-Sicherheitsmodus für alle Mitarbeiter zugänglich sein, oder nur für bestimmte authentisierte Mitarbeiter, beispielsweise nur für den oder die Vorarbeiter.An activation of the emergency safety mode can be done manually, for example by pressing a special button on a graphical user interface. So that activation of the emergency safety mode for convenience in regular operational operation is omitted, this is a special button on a graphical user interface provided by the actuation of a manual change to the emergency safety mode. In this case, the manual change to the emergency safety mode can be accessible to all employees, or only to certain authenticated employees, for example only to the foreman or the foreman.

Alternativ kann eine manuelle Aktivierung des Notfall-Sicherheitsmodus durch eine Betätigung eines physikalischen Sicherheitsschalters erfolgen. Bei einem solchen physikalischen Sicherheitsschalter kann es sich beispielsweise um einen Schlüsselschalter handeln, oder um einen Taster mit Einschlagscheibe, wie er beispielsweise von Feuermeldern bekannt ist, oder um zwei räumlich entfernte Schalter, welche von mindestens zwei Personen vorzugsweise gleichzeitig betätigt werden müssen. Bei letzterem können beide Schalter an der Automatisierungsanlage angebracht sein, aber in einem solchen Abstand, dass sie nicht von einer Person alleine gleichzeitig betätigt werden können. Die beiden Schalter können auch derart räumlich voneinander getrennt angeordnet sein, dass ein Schalter beispielsweise an der Automatisierungsanlage selbst angebracht ist und der zweite Schalter in einer entfernten Sicherheitszentrale.Alternatively, manual activation of the emergency safety mode may be accomplished by operation of a physical safety switch. Such a physical safety switch may, for example, be a key switch, or a push-button with impact disk, as is known, for example, from fire detectors, or two spatially remote switches, which must be operated by at least two people preferably simultaneously. In the latter case, both switches can be mounted on the automation system, but at such a distance that they can not be operated simultaneously by one person alone. The two switches can also be arranged spatially separated from one another so that a switch, for example, attached to the automation system itself and the second switch in a remote security center.

Der physikalische Schalter kann mit einem Feuer- oder Alarmknopf gekoppelt sein, wodurch bei einer Betätigung zusätzlich eine Alarmierung erfolgt, beispielsweise einer Werksfeuerwehr.The physical switch can be coupled with a fire or alarm button, which in addition an alarm occurs when actuated, such as a plant fire brigade.

Weiterhin ist denkbar, dass eine manuelle Aktivierung des Notfall-Sicherheitsmodus durch eine spezielle Log-In Prozedur erfolgt, beispielsweise eine Eingabe eines speziellen Notfall-Passworts oder eine Nutzung eines speziellen Notfall-Authentisierungstokens, wie etwa eine Notfall-Chipkarte.Furthermore, it is conceivable that a manual activation of the emergency security mode takes place by a special log-in procedure, for example an input of a special emergency password or use of a special emergency authentication token, such as an emergency chip card.

Eine Aktivierung des Notfall-Sicherheitsmodus erfolgt vorzugsweise automatisch abhängig vom Betriebszustand der Automatisierungsanlage. Hierzu werden bestimmte Parameter der Automatisierungsanlage überwacht und beispielsweise durch Vergleich mit vorgegebenen Grenzwerten für diese Parameter automatisch entschieden, ob ein normaler Betriebszustand, oder ein Notfall vorliegt. In Verfahrenstechnischen Automatisierungsanlagen können beispielsweise Druck und Temperatur durch geeignete, vorzugsweise redundant angeordnete Sensoren gemessen werden, wobei durch Vergleich mit festgelegten Grenzwerten, wie etwa einer maximal zulässigen Höchsttemperatur, einem maximal zulässigen Höchstdruck, einer Mindesttemperatur, einem Mindestdruck automatisch überwacht und festgestellt werden kann, ob die Messwerte für Druck und Temperatur in der Automatisierungsanlage bei der Durchführung eines bestimmten Verfahrensprozesses innerhalb einem bestimmten, zulässigen Betriebsbereich liegen, also ein normaler Betriebszustand vorliegt, oder nicht, also ein Notfall vorliegt. Alternativ kann auch die Motordrehzahl überwacht und mit festgelegten Sollwerten verglichen werden.An activation of the emergency safety mode is preferably carried out automatically depending on the operating state of the automation system. For this purpose, certain parameters of the automation system are monitored and, for example, automatically determined by comparison with predetermined limits for these parameters, whether a normal operating state, or an emergency exists. In process engineering automation systems, for example, pressure and temperature can be measured by suitable, preferably redundantly arranged sensors, which can be automatically monitored and determined by comparison with established limits, such as a maximum maximum temperature, a maximum allowable maximum pressure, a minimum temperature, a minimum pressure, and if the measured values for pressure and temperature in the automation system when performing a specific Process process within a certain allowable operating range, ie a normal operating condition is present or not, so there is an emergency. Alternatively, the engine speed can be monitored and compared with setpoints.

Der Notfall-Sicherheitsmodus kann nach der Aktivierung bestehen bleiben, bis er manuell wieder deaktiviert wird, beispielsweise durch Betätigen eines Schalters oder dergleichen.The emergency safety mode may persist after activation until it is manually deactivated again, for example by actuating a switch or the like.

Alternativ ist denkbar, dass der Notfall-Sicherheitsmodus nach der Aktivierung nach einer bestimmten vorgegebenen Zeitspanne automatisch wieder deaktiviert wird.Alternatively, it is conceivable that the emergency security mode is automatically deactivated again after the activation after a certain predetermined period of time.

Ebenso kann der Notfall-Sicherheitsmodus nach der Aktivierung nach Abwenden eines Notfalls automatisch deaktiviert werden, beispielsweise wenn die von Sensoren erfassten Messwerte wieder innerhalb eines zulässigen Betriebsbereichs liegen.Likewise, the emergency safety mode can be automatically deactivated after activation after averting an emergency, for example when the measured values detected by sensors are again within a permissible operating range.

Weiterhin ist denkbar, dass der Notfall-Sicherheitsmodus nur so lange aktiviert bleibt, wie ein entsprechender Aktivierungsschalter oder dergleichen betätigt bzw. betätigt gehalten wird.Furthermore, it is conceivable that the emergency safety mode remains activated only as long as a corresponding activation switch or the like is kept pressed or operated.

Die Erfindung wird nachfolgend anhand eines in der Zeichnung dargestellten Ausführungsbeispiels näher erläutert. Es zeigt:

Fig. 1
eine schematische Darstellung einer Automatisie- rungsanlage.
The invention will be explained in more detail with reference to an embodiment shown in the drawing. It shows:
Fig. 1
a schematic representation of an automation system.

Eine in Fig. 1 dargestellte Automatisierungsanlage 01 umfasst einen Rührer 02 der von einem Motor 03 angetrieben ist. Der Rührer 02 rührt eine Substanz in einem Behälter 04. Im Behälter 04 befindet sich eine Heizung 05 und ein Temperaturfühler 06, die beide mit einem Prozessrechner 07 verbunden sind. Rohrleitungen zum Stofftransport der Substanz in den und aus dem Behälter 04 sind nicht dargestellt. Der Prozessrechner 07 ist an eine Bedien- und Überwachungseinrichtung 08 angeschlossen. Die Bedien- und Überwachungseinrichtung 08 ist mit einem Notfall-Schalter 09, einer Videokamera 10, sowie einem Logging-Server 11 verbunden. Das Bedien- und Wartungspersonal 12 überwacht und steuert den Verfahrensprozess des Umrührens der Substanz im Behälter 04 über die Bedien- und Überwachungseinrichtung 08. Im Falle eines Zwischen- oder Notfalls betätigt das Bedien- und Wartungspersonal 12 den Notfall-Schalter 09, worauf das Bedien- und Wartungspersonal 12 uneingeschränkte Zugriffsrechte und damit uneingeschränkten Zugriff erhält. Gleichzeitig werden jedoch die vom Bedien- und Wartungspersonal 12 vorgenommenen Aktionen und Zugriffe von der Videokamera 10 aufgezeichnet und auf dem Logging-Server 11 protokolliert.An in Fig. 1 illustrated automation system 01 comprises a stirrer 02 which is driven by a motor 03. The stirrer 02 stirs a substance in a container 04. The container 04 contains a heater 05 and a temperature sensor 06, which are both connected to a process computer 07. Pipelines for transporting the substance into and out of the container 04 are not shown. The process computer 07 is connected to an operating and monitoring device 08. The operating and monitoring device 08 is connected to an emergency switch 09, a video camera 10, and a logging server 11. The operating and maintenance staff 12 monitors and controls the process of stirring the substance in the container 04 via the operating and monitoring device 08. In the event of an intermediate or emergency, the operating and maintenance personnel 12 actuates the emergency switch 09, whereupon the operator and maintenance personnel 12 unrestricted access rights and thus unrestricted access receives. At the same time, however, the actions and accesses made by the operating and maintenance personnel 12 are recorded by the video camera 10 and logged on the logging server 11.

Erfindungsgemäß wird für den regulären Betrieb einer Automatisierungsanlage mit einer Bedien- und Überwachungseinrichtung eine enge Zugriffskontrolle durchgeführt, bei der sich das Bedienpersonal authentisieren muss, beispielsweise durch einen Log-In, und nur Zugriffe auf die Bedien- und Überwachungseinrichtung vornehmen kann, die außerdem anhand einer definierten Zugriffskontrollpolitik erlaubt sind. Ziel ist dabei weniger, eine hohe Vertraulichkeit der übertragenen Automatisierungsdaten zu erreichen, sondern vielmehr Fehlbedienungen und unauthorisierte Zugriffe zu vermeiden. Die Log-In Prozedur kann beliebig ausgestaltet sein, beispielsweise durch Eingabe von Username und/oder Passwort, durch ein Authentisierungstoken, wie etwa mittels einer Chipkarte oder drahtlos, oder durch einen Fingerabdruck oder eine sonstige biometrische Identifikation.According to the invention, a close access control is carried out for the regular operation of an automation system with an operating and monitoring device, in which the operating personnel must authenticate, for example by a log-in, and can only access the operating and monitoring device, which also uses a defined access control policies are allowed. The aim is less to achieve high confidentiality of the transmitted automation data, but rather to avoid incorrect operation and unauthorized access. The log-in procedure can be configured as desired, for example by input of user name and / or password, by an authentication token, such as by means of a chip card or wirelessly, or by a fingerprint or other biometric identification.

Um in Notfällen, die naturgemäß unvorhersehbare Aspekte enthalten können, geeignet reagieren zu können, sind dort erweiterte Zugriffsrechte notwendig. Erfindungsgemäß werden in Notfällen erweiterte Zugriffsrechte gewährt. Es wird so ein schnelles und flexibles Handeln ermöglicht, das nicht durch IT-Sicherheitsmaßnahmen behindert oder unnötig erschwert wird.In order to be able to react appropriately in emergencies, which can naturally contain unforeseeable aspects, extended access rights are necessary there. According to the invention, extended access rights are granted in emergencies. It allows a fast and flexible action that is not hindered or unnecessarily complicated by IT security measures.

Hierzu ist ein spezieller Notfall-Sicherheitsmodus / eine spezielle Notfall-Sicherheitskonfiguration vorgesehen.For this purpose, a special emergency safety mode / a special emergency safety configuration is provided.

Dabei wird die für den Normalbetrieb bzw. regulären Betrieb vorgesehene Zugriffskontrolle ersetzt durch weichere Maßnahmen, die jedoch nachträglich auswertbar sind:

  • Gewähren erweiterter Zugriffsrechte und/oder gegebenenfalls Deaktivieren der Zugriffskontrolle, wodurch alle Zugriffe erlaubt werden.
  • Verzicht auf Authentisierung beispielsweise durch Log-In, wodurch jeder die Bedien- und Überwachungseinrichtung nutzen kann.
  • Aufzeichnen und Protokollieren der vorgenommenen Zugriffe, so genanntes Logging. Dies kann auf der Bedien- und Überwachungseinrichtung selbst oder auf einem eigens hierfür vorgesehenen, beispielsweise in einem notfallfesten, beispielsweise feuersicheren und/oder explosionssicheren Raum untergebrachten Logging-Server durchgeführt werden.
  • Aktivierung einer Video-Überwachung bzw. Aktivieren einer Video-Aufzeichnung, um so anhand des aufgezeichneten Video-Materials festzustellen, wer den Notfall-Sicherheitsmodus ausgelöst hat und wer welche Zugriffe bzw. Aktionen durchgeführt hat.
  • Auslösung eines Alarms, damit Einsatzkräfte den Notfall bestätigen können.
The access control provided for normal operation or regular operation is replaced by softer measures, which, however, can be evaluated later:
  • Providing extended access rights and / or disabling access control, allowing all access.
  • No authentication, for example through log-in, which allows everyone to use the operating and monitoring device.
  • Recording and logging of the accesses, so-called logging. This can be done on the operating and monitoring device itself or on a specially provided for this purpose, for example, in an emergency-proof, such as fireproof and / or explosion-proof space housed logging server.
  • Enable video surveillance or enable video recording to determine who has triggered the emergency security mode and who has taken which access or actions based on recorded video material.
  • Triggering an alarm so emergency personnel can confirm the emergency.

Das Ersetzen von im normalen Betrieb gültigen harten Sicherheitsmaßnahmen durch weiche Sicherheitsmaßnahmen in einem Notfall ermöglicht, dass alle erforderlichen Maßnahmen vom Bedien- und Überwachungspersonal durchgeführt werden können. Ein Missbrauch wird dennoch verhindert, da die Tatsache der Notfall-Auslösung sowie die vorgenommenen Aktionen und die erfolgten Zugriffe nachträglich nachvollziehbar sind.The replacement of hard safety measures in normal operation with soft safety measures in an emergency enables all necessary measures to be carried out by operating and monitoring personnel. Abuse is nevertheless prevented because the fact of the emergency triggering as well as the actions taken and the accesses are subsequently traceable.

Zugriffsrechte können so bei Bedarf, gewissermaßen auf Wunsch überschritten werden. Dies wird aber sowohl durch das Aufzeichnen und Protokollieren der vorgenommenen Zugriffe, als auch durch die Aktivierung einer Video-Überwachung festgehalten und es kann so nachgeprüft werden, ob dies tatsächlich aus berechtigtem Anlass geschah.If necessary, access rights can be exceeded if required. However, this is done both by recording and logging the accesses, as also by the activation of a video surveillance detained and it can be checked whether this actually happened for legitimate reasons.

Da eventuell schon minimal höhere Zugriffsrechte ausreichen, um quasi als erste Hilfe das Schlimmste in einem Notfall abwehren zu können, kann der Notfall-Sicherheitsmodus mehrere Unterstufen umfassen. Diese lassen sich schrittweise aktivieren. In einer ersten Notfall-Aktivierungsstufe können beispielsweise nur die allernötigsten Rechte gewährt werden, um beispielsweise einen bevorstehenden Notfall hinauszuzögern und einfache Gegenmaßnahmen einzuleiten. Falls weitergehende Maßnahmen notwendig sind, um den Notfall zu verhindern, so muss dann auch noch eine zweite Notfall-Aktivierungsstufe aktiviert werden, die noch weitergehenden, beispielsweise uneingeschränkten Zugriff gewährt. Beispielsweise ist denkbar, dass dabei auch dauerhafte Konfigurationsänderungen vorgenommen werden-können. Die Aktivierung einer solchen zweiten Notfall-Aktivierungsstufe kann dann aufwändiger geschützt sein, als die der ersten Notfall-Aktivierungsstufe. So ist beispielsweise denkbar, dass die erste Notfall-Aktivierungsstufe per Mausklick an der Benutzeroberfläche der Bedien- und Überwachungseinrichtung, und die zweite Notfall-Aktivierungsstufe nur über einen physikalischen Sicherheitsschalter, der beispielsweise erst nach Einschlagen einer Schutzscheibe betätigbar ist, aktiviert werden kann.Since possibly even slightly higher access rights are sufficient to be able to fend off the worst in an emergency as a first aid, the emergency security mode can comprise several sub-levels. These can be activated step by step. In a first emergency activation stage, for example, only the most necessary rights can be granted, for example to delay an imminent emergency and initiate simple countermeasures. If further measures are necessary to prevent the emergency, then also a second emergency activation stage must be activated, which grants even more extensive, for example unrestricted access. For example, it is conceivable that permanent configuration changes can also be made. The activation of such a second emergency activation stage can then be more elaborately protected than that of the first emergency activation stage. Thus, for example, it is conceivable that the first emergency activation stage can be activated by mouse click on the user interface of the operating and monitoring device, and the second emergency activation stage only via a physical safety switch, which can be actuated for example only after driving a protective screen.

Der Wechsel in den Notfall-Sicherheitsmodus kann auf unterschiedliche Weise erfolgen. Wichtig ist dabei, dass die spezielle Bedeutung klar ist und so eine Aktivierung aus Bequemlichkeit im regulären operativen Betrieb unterbleibt.The change to the emergency safety mode can be done in different ways. It is important that the special meaning is clear and thus an activation for convenience in regular operations is omitted.

Eine erste Variante die sicherstellt, dass eine Aktivierung des Notfall-Sicherheitsmodus aus Bequemlichkeit im regulären operativen Betrieb unterbleibt, kann beispielsweise anhand einer speziellen Schaltfläche auf einer graphischen Bedienoberfläche erreicht werden, durch deren Betätigung ein manueller Wechsel in den Notfall-Sicherheitsmodus erfolgt. Dabei kann der manuelle Wechsel in den Notfall-Sicherheitsmodus für alle Mitarbeiter zugänglich sein, oder nur für bestimmte authentisierte Mitarbeiter, beispielsweise nur für den oder die Vorarbeiter.A first variant, which ensures that activation of the emergency safety mode for convenience in regular operational operation is omitted, can be achieved, for example, by means of a special button on a graphical user interface, the actuation of which results in a manual change to the emergency safety mode. there For example, the manual switch to Emergency Security Mode may be accessible to all employees, or only to certain authenticated employees, such as the foreman or foreman only.

Eine zweite Variante die sicherstellt, dass eine Aktivierung des Notfall-Sicherheitsmodus aus Bequemlichkeit im regulären operativen Betrieb unterbleibt, ist eine Verwendung eines physikalischen Sicherheitsschalters zur Aktivierung des Notfall-Sicherheitsmodus. Bei einem solchen physikalischen Sicherheitsschalter kann es sich beispielsweise um einen Schlüsselschalter handeln, oder um einen Taster mit Einschlagscheibe, wie er beispielsweise von Feuermeldern bekannt ist, oder um zwei räumlich entfernte Schalter, welche von mindestens zwei Personen vorzugsweise gleichzeitig betätigt werden müssen. Bei letzterem können beide Schalter an der Automatisierungsanlage angebracht sein, aber in einem solchen Abstand, dass sie nicht von einer Person alleine gleichzeitig betätigt werden können. Die beiden Schalter können auch derart räumlich voneinander getrennt angeordnet sein, dass ein Schalter beispielsweise an der Automatisierungsanlage selbst angebracht ist und der zweite Schalter in einer entfernten Sicherheitszentrale. Die beschriebenen physikalischen Sicherheitsschalter können mit einem echten Feuer- oder Alarmknopf gekoppelt sein, wodurch bei einer Betätigung zusätzlich eine Alarmierung erfolgt, beispielsweise einer Werksfeuerwehr.A second variant, which ensures that activation of the emergency safety mode is omitted for convenience in regular operational operation, is a use of a physical safety switch to activate the emergency safety mode. Such a physical safety switch can be, for example, a key switch, or a push-button with an impact disk, as is known, for example, from fire detectors, or two spatially remote switches, which must preferably be actuated simultaneously by at least two people. In the latter case, both switches can be mounted on the automation system, but at such a distance that they can not be operated simultaneously by one person alone. The two switches can also be arranged spatially separated from one another so that a switch, for example, attached to the automation system itself and the second switch in a remote security center. The physical safety switches described can be coupled with a real fire or alarm button, which in addition an alarm occurs when actuated, such as a plant fire brigade.

Eine dritte Variante die sicherstellt, dass eine Aktivierung des Notfall-Sicherheitsmodus aus Bequemlichkeit im regulären operativen Betrieb unterbleibt, sieht eine spezielle Log-In Prozedur vor, beispielsweise eine Eingabe eines speziellen Notfall-Passworts oder eine Nutzung eines speziellen Notfall-Authentisierungstokens, wie etwa eine Notfall-Chipkarte.A third variant, which ensures that activation of the emergency security mode is omitted for convenience in regular operational operation, provides a special log-in procedure, such as entering a special emergency password or using a special emergency authentication token, such as a emergency smart card.

Eine vierte Variante die sicherstellt, dass eine Aktivierung des Notfall-Sicherheitsmodus aus Bequemlichkeit im regulären operativen Betrieb unterbleibt, ist automatisch abhängig vom Betriebszustand der Automatisierungsanlage. Hierzu werden bestimmte Parameter der Automatisierungsanlage überwacht und beispielsweise durch Vergleich mit vorgegebenen Grenzwerten für diese Parameter automatisch entschieden, ob ein normaler Betriebszustand, oder ein Notfall vorliegt. In Verfahrenstechnischen Automatisierungsanlagen können beispielsweise Druck und Temperatur durch geeignete, vorzugsweise redundant angeordnete Sensoren gemessen werden, wobei durch Vergleich mit festgelegten Grenzwerten, wie etwa einer maximal zulässigen Höchsttemperatur, einem maximal zulässigen Höchstdruck, einer Mindesttemperatur, einem Mindestdruck automatisch überwacht und festgestellt werden kann, ob die Messwerte für Druck und Temperatur in der Automatisierungsanlage bei der Durchführung eines bestimmten Verfahrensprozesses innerhalb einem bestimmten, zulässigen Betriebsbereich liegen, also ein normaler Betriebszustand vorliegt, oder nicht, also ein Notfall vorliegt.A fourth variant which ensures that activation of the emergency safety mode for convenience in regular operational operation is omitted, is automatically dependent on the operating state of the automation system. This will be certain Monitored parameters of the automation system and automatically determined, for example, by comparing with predetermined limits for these parameters, whether a normal operating condition, or an emergency exists. In process engineering automation systems, for example, pressure and temperature can be measured by suitable, preferably redundantly arranged sensors, which can be automatically monitored and determined by comparison with established limits, such as a maximum maximum temperature, a maximum allowable maximum pressure, a minimum temperature, a minimum pressure, and if the measured values for pressure and temperature in the automation system in the implementation of a particular process process are within a certain permissible operating range, ie a normal operating state exists or not, so there is an emergency.

Der Notfall-Sicherheitsmodus bleibt nach der Aktivierung entweder dauerhaft bestehen, bis er manuell wieder deaktiviert wird, beispielsweise durch Betätigen eines Schalters oder dergleichen, oder er wird nach einer bestimmten vorgegebenen Zeitspanne automatisch wieder deaktiviert. Der Notfall-Sicherheitsmodus kann auch nach Abwenden eines Notfalls automatisch deaktiviert werden, beispielsweise wenn die von Sensoren erfassten Messwerte wieder innerhalb des zulässigen Betriebsbereichs liegen. Als weitere Möglichkeit ist denkbar, dass der Notfall-Sicherheitsmodus nur so lange aktiviert bleibt, wie ein entsprechender Aktivierungsschalter oder dergleichen betätigt bzw. betätigt gehalten wird.The emergency safety mode either remains permanently after activation until it is manually deactivated again, for example by actuating a switch or the like, or it is automatically deactivated again after a certain predetermined period of time. The emergency safety mode can be deactivated automatically even after an emergency has been averted, for example if the measured values recorded by sensors are again within the permissible operating range. As a further possibility, it is conceivable that the emergency safety mode remains activated only as long as a corresponding activation switch or the like is actuated or kept actuated.

Claims (27)

  1. Method for access control to an automation plant (01), wherein,
    access rights predetermined by the access control are dependent on the operating state of the automation plant (01),
    characterised in that at least during an emergency extended access rights are granted independently of the access rights in normal operation.
  2. Method according to claim 1,
    characterised in that,
    in order to detect the operating state, the automation plant (01) is monitored.
  3. Method according to claim 2,
    characterised in that,
    monitoring takes place automatically by means of suitable sensors (06).
  4. Method according to claim 2,
    characterised in that,
    monitoring is carried out by operating and maintenance personnel (12).
  5. Method according to one of the preceding claims,
    characterised in that,
    an emergency is automatically triggered as soon as specific process variables of the automation plant (01) exceed predetermined limit values.
  6. Method according to one of claims 1 to 4,
    characterised in that,
    an emergency is triggered manually.
  7. Method according to one of the preceding claims,
    characterised in that,
    the access rights in normal operation are tightly specified in order to prevent incorrect operation and unauthorised access.
  8. Method according to one of the preceding claims,
    characterised in that,
    in normal operation the access rights are specified in a role-based manner.
  9. Method according to one of the preceding claims,
    characterised in that,
    in normal operation, in order to obtain access rights and/or to obtain additional and/or other access rights, identification of the accessing party or authentication is carried out.
  10. Method according to one of the preceding claims,
    characterised in that,
    when an emergency occurs an alarm is triggered for automatic signalling and activation of emergency measures.
  11. Method according to one of the preceding claims,
    characterised in that,
    at least in an emergency the actions taken and access effected by operating and maintenance personnel (12) are recorded and/or logged.
  12. Method according to one of the preceding claims,
    characterised in that,
    at least in an emergency a special emergency safety mode is provided in which the tight control and allocation of access rights provided for normal operation is replaced by softer measures which can be or are evaluated later.
  13. Method according to claim 12,
    characterised in that,
    the softer measures include the granting of extended access rights and/or deactivation of the control and allocation of access rights, which permits all operations and access attempts.
  14. Method according to claim 12,
    characterised in that,
    the softer measures include dispensing with an authentication, whereby anyone can use an operating and monitoring unit (08) that is controlling the automation plant (01).
  15. Method according to claim 12, 13 or 14,
    characterised in that,
    recording and logging of the access attempts is implemented for later evaluation of the softer measures.
  16. Method according to one of claims 12 to 15,
    characterised in that,
    video monitoring (10) or video recording is activated for later evaluation of the softer measures.
  17. Method according to one of claims 12 to 16,
    characterised in that,
    the emergency safety mode includes a plurality of sublevels with different access rights, which can be or are incrementally activated.
  18. Method according to one of claims 12 to 17,
    characterised in that,
    activation of the emergency safety mode is effected manually.
  19. Method according to claim 18,
    characterised in that,
    activation of the emergency safety mode is implemented by actuation of a special switch surface on a graphical operator interface.
  20. Method according to claim 18,
    characterised in that,
    activation of the emergency safety mode is implemented by actuation of a physical safety switch (09).
  21. Method according to claim 20,
    characterised in that,
    the physical switch (09) is coupled to a fire or alarm button.
  22. Method according to claim 18,
    characterised in that,
    activation of the emergency safety mode is implemented by a special log-in procedure.
  23. Method according to one of claims 12 to 17,
    characterised in that,
    activation of the emergency safety mode is automatically implemented dependent on the operating state of the automation plant (01).
  24. Method according to one of claims 12 to 23,
    characterised in that,
    after activation the emergency safety mode remains in force until it is manually deactivated again.
  25. Method according to one of claims 12 to 23,
    characterised in that,
    after activation the emergency safety mode is automatically deactivated again on expiration of a certain predetermined time interval.
  26. Method according to one of claims 12 to 23,
    characterised in that,
    after activation the emergency safety mode is automatically deactivated after an emergency has been averted.
  27. Method according to one of claims 12 to 23,
    characterised in that,
    the emergency safety mode remains activated only for as long as a corresponding activation switch (09) is actuated.
EP08803303A 2007-09-25 2008-08-28 Method for the access control to an automation unit Active EP2193406B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102007045772A DE102007045772A1 (en) 2007-09-25 2007-09-25 Method for access control to an automation system
PCT/EP2008/061277 WO2009040206A1 (en) 2007-09-25 2008-08-28 Method for the access control to an automation unit

Publications (2)

Publication Number Publication Date
EP2193406A1 EP2193406A1 (en) 2010-06-09
EP2193406B1 true EP2193406B1 (en) 2011-07-20

Family

ID=40227786

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08803303A Active EP2193406B1 (en) 2007-09-25 2008-08-28 Method for the access control to an automation unit

Country Status (7)

Country Link
US (1) US8890652B2 (en)
EP (1) EP2193406B1 (en)
CN (1) CN101809518B (en)
AT (1) ATE517376T1 (en)
DE (1) DE102007045772A1 (en)
ES (1) ES2368670T3 (en)
WO (1) WO2009040206A1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102007045772A1 (en) 2007-09-25 2009-04-02 Siemens Ag Method for access control to an automation system
EP2224300B1 (en) * 2009-02-27 2018-07-11 Siemens Aktiengesellschaft Method of providing data access in an industrial automation system, computer program product and industrial automation system
US20110010624A1 (en) * 2009-07-10 2011-01-13 Vanslette Paul J Synchronizing audio-visual data with event data
DE102010041338A1 (en) * 2010-09-24 2012-03-29 Siemens Aktiengesellschaft Medical device activatable by an identification element
WO2012078475A2 (en) * 2010-12-07 2012-06-14 Gautam Dasgupta Emergency response management apparatuses, methods and systems
CH706997A1 (en) * 2012-09-20 2014-03-31 Ferag Ag Access control on operating modules of a control unit.
US20140266715A1 (en) * 2013-03-15 2014-09-18 Honeywell International Inc. Access Control Systems with Variable Threat Level
GB201315117D0 (en) * 2013-08-23 2013-10-09 Dinky Assets Ltd A combination care monitoring and access control system
CN106534222A (en) * 2017-01-10 2017-03-22 深圳市思榕科技有限公司 Password authority control login system
US10705948B2 (en) 2017-10-30 2020-07-07 Bank Of America Corporation Robotic process automation simulation of environment access for application migration
CN112118299B (en) * 2020-09-04 2023-01-13 四川蜂巢智造云科技有限公司 System for separating equipment management data and production service data
US11798331B2 (en) 2022-03-08 2023-10-24 Motorola Solutions, Inc. Method and apparatus for increasing security at an access point

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19801137A1 (en) * 1998-01-14 1999-07-22 Siemens Ag Automation system operating method e.g. for rapid shut-down of automated processes in emergency
US6201996B1 (en) * 1998-05-29 2001-03-13 Control Technology Corporationa Object-oriented programmable industrial controller with distributed interface architecture
US6422463B1 (en) * 1999-12-31 2002-07-23 Jonathan C. Flink Access control system
US7043310B2 (en) * 2001-02-16 2006-05-09 Siemens Aktiengesellschaft Device and process for operation of automation components
US20040162996A1 (en) * 2003-02-18 2004-08-19 Nortel Networks Limited Distributed security for industrial networks
DE10313409A1 (en) * 2003-03-25 2004-11-18 Continental Teves Ag & Co. Ohg Method for avoiding incorrect actuator access in a multifunctional electronic overall control system
US7895234B2 (en) * 2003-09-22 2011-02-22 Rockwell Automation Technologies, Inc. Systems and methods for sharing portal configurations
US7415720B2 (en) * 2003-10-31 2008-08-19 Samsung Electronics Co., Ltd. User authentication system and method for controlling the same
JP2005293282A (en) * 2004-03-31 2005-10-20 Toshiba Corp Information processor, starting method for information processor, and starting program for information processor
US7530113B2 (en) * 2004-07-29 2009-05-05 Rockwell Automation Technologies, Inc. Security system and method for an industrial automation system
DE102007045772A1 (en) 2007-09-25 2009-04-02 Siemens Ag Method for access control to an automation system

Also Published As

Publication number Publication date
CN101809518A (en) 2010-08-18
DE102007045772A1 (en) 2009-04-02
ES2368670T3 (en) 2011-11-21
EP2193406A1 (en) 2010-06-09
US20100201480A1 (en) 2010-08-12
WO2009040206A1 (en) 2009-04-02
CN101809518B (en) 2014-08-13
ATE517376T1 (en) 2011-08-15
US8890652B2 (en) 2014-11-18

Similar Documents

Publication Publication Date Title
EP2193406B1 (en) Method for the access control to an automation unit
EP2691940B1 (en) Management of access rights to operating and/or control data from buildings or building complexes
EP2353123A2 (en) Requirements-based personal authentication method
WO2006125404A1 (en) Method for adjusting an electric field device
DE102020133597A1 (en) PERSONNEL PROFILES AND FINGERPRINT AUTHENTICATION FOR CONFIGURATION ENGINEERING AND RUNTIME APPLICATIONS
EP3103057A1 (en) Method for accessing a physically secured rack and computer network infrastructure
DE102018103772A1 (en) Monitoring system for a protective device and protective device
EP3582033B1 (en) Method for securely operating a field device
EP3967003A1 (en) Service device for a fire protection system, corresponding fire protection system, system for operating a fire protection system, and associated method
DE102004015616B4 (en) Safety system controller for use in a process environment, process control system and related control method
EP3314844B1 (en) Data processing device and method for operating same
DE10152349B4 (en) safety device
EP3967002A1 (en) Service device for a fire protection system, corresponding fire protection system, system for operating a fire protection system, and associated method
WO2020225086A1 (en) Service device, fire protection system comprising a service device, system for operating a fire protection system, and associated method
EP3726309A1 (en) Method and system for monitoring the current integrity of a distributed automation system
WO2020225080A1 (en) Service device for a fire protection system, corresponding fire protection system, system for operating a fire protection system, and associated method
EP3723339B1 (en) Secure release of protected function
EP4138052B1 (en) Method for preparing a control device for access devices for commissioning, access system and computer program product
EP4254864A1 (en) Method for operating a networked iot device in an automation network, computer program, iot device and automation network
EP1768048A2 (en) System for identification and allocation of usage rights in a data processing device
EP3306856B1 (en) Method for providing a secure communication connection between components of a security-critical function chain
DE102013112730B4 (en) Computer center and method for operating a computer center
DE202013105224U1 (en) locking system
DE102014008654A1 (en) Temporary permission
EP4333362A1 (en) Control system for a technical installation and computer-implemented method for disabling a component of an installation

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20100211

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA MK RS

DAX Request for extension of the european patent (deleted)
GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 502008004272

Country of ref document: DE

Effective date: 20110915

REG Reference to a national code

Ref country code: NL

Ref legal event code: VDEP

Effective date: 20110720

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2368670

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20111121

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111020

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111121

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111120

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

REG Reference to a national code

Ref country code: IE

Ref legal event code: FD4D

BERE Be: lapsed

Owner name: SIEMENS A.G.

Effective date: 20110831

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111021

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110831

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: IE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110831

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

26N No opposition filed

Effective date: 20120423

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 502008004272

Country of ref document: DE

Effective date: 20120423

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120831

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120831

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110828

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111020

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

REG Reference to a national code

Ref country code: AT

Ref legal event code: MM01

Ref document number: 517376

Country of ref document: AT

Kind code of ref document: T

Effective date: 20130828

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20130828

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 9

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 10

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20190805

Year of fee payment: 12

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: ES

Payment date: 20191126

Year of fee payment: 12

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20200828

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200828

REG Reference to a national code

Ref country code: ES

Ref legal event code: FD2A

Effective date: 20220110

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200829

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20230828

Year of fee payment: 16

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230905

Year of fee payment: 17

Ref country code: DE

Payment date: 20230808

Year of fee payment: 16